netsupport | d843357fee8f463e8235fe3e144db173d022a995e9cd8b721c7ed10966551d83

Analysis

max time kernel
137s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TwchinSetup-x86.appx
Size

46.5MB
MD5

0e8d41f8b3bbb4eb57c80d1cdcfdbe3c
SHA1

8de4a0fe3a0abe406fcb9a51e5523125df57e469
SHA256

d843357fee8f463e8235fe3e144db173d022a995e9cd8b721c7ed10966551d83
SHA512

bf2dbd2720a533babb6754f896b1030f6ab8b5545b30fd271061c25b090c8a9ecde3370b33f744e6b293e6fd5b7831ce64e0651f41ecdfd84d1cfc64d1e1b116
SSDEEP

786432:QEMMmVPoJoc5CzBMTYe2/g7DaiUrsa05zP3YPHk2mOH0AunxaCYWrc/7R8cNcGjv:QEM9VP2oc5Cd+Yb47eiUIa09KHk2maOc

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
220	PowerShell.exe
220	PowerShell.exe
4944	PowerShell.exe
4944	PowerShell.exe
4664	taskmgr.exe
4664	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4808	firefox.exe
Token: SeDebugPrivilege	4808	firefox.exe
Token: SeDebugPrivilege	220	PowerShell.exe
Token: SeDebugPrivilege	4944	PowerShell.exe
Token: SeDebugPrivilege	4664	taskmgr.exe
Token: SeSystemProfilePrivilege	4664	taskmgr.exe
Token: SeCreateGlobalPrivilege	4664	taskmgr.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe
4664	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 3336 wrote to memory of 4808	3336	firefox.exe	95
PID 4808 wrote to memory of 3060	4808	firefox.exe	96
PID 4808 wrote to memory of 3060	4808	firefox.exe	96
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 4488	4808	firefox.exe	97
PID 4808 wrote to memory of 2704	4808	firefox.exe	98
PID 4808 wrote to memory of 2704	4808	firefox.exe	98
PID 4808 wrote to memory of 2704	4808	firefox.exe	98

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\Amazon.comInc..TwitchVentures_cvpb331a1f8hw!TwitchStudio YourServiceHostedService YourServiceHostedService1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4808.0.1604111410\991278399" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f793168b-9826-4292-8b5f-e49f988fa1b9} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" 1976 1e5596fa458 gpu
    3⤵
    PID:3060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4808.1.11080463\584049728" -parentBuildID 20221007134813 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc24a75a-a6d6-49f2-8e91-87c062fb8a83} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" 2376 1e558e30e58 socket
    3⤵
    PID:4488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4808.2.202590548\917695738" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3188 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecb9c998-2c39-499a-9d65-46abcc4f55a9} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" 2960 1e55d5bbc58 tab
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4808.3.315867022\1843079358" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3680 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a45b9366-1e2e-47d6-8773-052d72fe400f} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" 3716 1e54cb61c58 tab
    3⤵
    PID:776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4808.4.1066208630\85136041" -childID 3 -isForBrowser -prefsHandle 4412 -prefMapHandle 4404 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b650727-d0bf-471e-9d83-1003cedff263} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" 4416 1e55f1eac58 tab
    3⤵
    PID:3648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4808.5.971622468\454730800" -childID 4 -isForBrowser -prefsHandle 5004 -prefMapHandle 4996 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a323aa5-c169-47e2-84ea-51e0979fc52b} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" 5032 1e54cb5eb58 tab
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4808.6.189638417\1288866767" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 5276 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f377211-1d3a-4cc9-8df4-df8bc7c052b5} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" 5288 1e55f896058 tab
    3⤵
    PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4808.7.1767431508\1663750453" -childID 6 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78251284-4fe5-4be9-8467-7f63f0689ba3} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" 5240 1e55f897258 tab
    3⤵
    PID:3356

C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\AI_STUBS\AiStubX86.exe
"C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\AI_STUBS\AiStubX86.exe"
1⤵
PID:4388
- C:\Windows\SysWOW64\xcopy.exe
  "xcopy.exe" "C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\VFS\AppData" "C:\Users\Admin\AppData\Local\Packages\Amazon.comInc..TwitchVentures_cvpb331a1f8hw\LocalCache\Roaming" /e /s /y /c /h /q /i /k
  2⤵
  PID:4316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -command "'TwitchStudioSetup-network_[referrer-studio_page].exe', 'C:\Users\Admin\Desktop\TwitchStudio.lnk', 'TwitchStudio', 'none', 'C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\AI_STUBS\TwitchStudioSetup-network_[referrer-studio_page].0.ico', 'C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\', 1, 'none', 'none'" | "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -encodedcommand DQAKACAAIABwAGEAcgBhAG0AIAAoAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABUAGEAcgBnAGUAdABQAGEAdABoACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABEAGUAcwBjAHIAaQBwAHQAaQBvAG4ALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABBAHIAZwB1AG0AZQBuAHQAcwAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHYAYQBsAGkAZABhAHQAZQBzAGUAdAAoADEALAAzACwANwApAF0AIAAgACAAIAANAAoAIAAgACAAIABbAGkAbgB0AF0AIAAkAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ADEALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABIAG8AdABrAGUAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4ADQAKACAAIAApAA0ACgAgACAADQAKACAAIABpAGYAIAAoACAAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApACkADQAKACAAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARgBpAGwAZQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAANAAoAIAAgAH0ADQAKACAAIAANAAoAIAAgACQAVwBzAGgAUwBoAGUAbABsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAgACAAIAANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0ACAAPQAgACQAVwBzAGgAUwBoAGUAbABsAC4AQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0ACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAJABTAGgAbwByAHQAYwB1AHQALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACQAVABhAHIAZwBlAHQAUABhAHQAaAANAAoAIAAgAGkAZgAoACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAUwBoAG8AcgB0AGMAdQB0AC4ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAPQAgACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAQQByAGcAdQBtAGUAbgB0AHMAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABTAGgAbwByAHQAYwB1AHQALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAkAEEAcgBnAHUAbQBlAG4AdABzACAAfQANAAoAIAAgAGkAZgAoACQASQBjAG8AbgBMAG8AYwBhAHQAaQBvAG4AIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQAgAHsAIAAkAHMAaABvAHIAdABjAHUAdAAuAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAA9ACAAJABXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAfQANAAoAIAAgAGkAZgAoACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAcwBoAG8AcgB0AGMAdQB0AC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAAfQANAAoAIAAgAGkAZgAoACQASABvAHQAawBlAHkAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBIAG8AdABrAGUAeQAgAD0AIAAkAEgAbwB0AGsAZQB5ACAAfQANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0AC4AUwBhAHYAZQAoACkADQAKAA0ACgAgACAAaQBmACAAKAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4AIAAtAGUAcQAgACcAcgB1AG4AQQBzAEEAZABtAGkAbgAnACkADQAKACAAIAB7AA0ACgAgACAAIAAgACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAIAAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAAPQAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAALQBiAG8AcgAgADAAeAAyADAAIAAjAHMAZQB0ACAAYgB5AHQAZQAgADIAMQAgACgAMAB4ADEANQApACAAYgBpAHQAIAA2ACAAKAAwAHgAMgAwACkAIABPAE4AIAANAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQANAAoAIAAgAH0ADQAKAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -encodedcommand DQAKACAAIABwAGEAcgBhAG0AIAAoAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABUAGEAcgBnAGUAdABQAGEAdABoACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABEAGUAcwBjAHIAaQBwAHQAaQBvAG4ALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABBAHIAZwB1AG0AZQBuAHQAcwAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHYAYQBsAGkAZABhAHQAZQBzAGUAdAAoADEALAAzACwANwApAF0AIAAgACAAIAANAAoAIAAgACAAIABbAGkAbgB0AF0AIAAkAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ADEALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABIAG8AdABrAGUAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4ADQAKACAAIAApAA0ACgAgACAADQAKACAAIABpAGYAIAAoACAAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApACkADQAKACAAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARgBpAGwAZQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAANAAoAIAAgAH0ADQAKACAAIAANAAoAIAAgACQAVwBzAGgAUwBoAGUAbABsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAgACAAIAANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0ACAAPQAgACQAVwBzAGgAUwBoAGUAbABsAC4AQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0ACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAJABTAGgAbwByAHQAYwB1AHQALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACQAVABhAHIAZwBlAHQAUABhAHQAaAANAAoAIAAgAGkAZgAoACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAUwBoAG8AcgB0AGMAdQB0AC4ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAPQAgACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAQQByAGcAdQBtAGUAbgB0AHMAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABTAGgAbwByAHQAYwB1AHQALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAkAEEAcgBnAHUAbQBlAG4AdABzACAAfQANAAoAIAAgAGkAZgAoACQASQBjAG8AbgBMAG8AYwBhAHQAaQBvAG4AIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQAgAHsAIAAkAHMAaABvAHIAdABjAHUAdAAuAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAA9ACAAJABXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAfQANAAoAIAAgAGkAZgAoACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAcwBoAG8AcgB0AGMAdQB0AC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAAfQANAAoAIAAgAGkAZgAoACQASABvAHQAawBlAHkAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBIAG8AdABrAGUAeQAgAD0AIAAkAEgAbwB0AGsAZQB5ACAAfQANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0AC4AUwBhAHYAZQAoACkADQAKAA0ACgAgACAAaQBmACAAKAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4AIAAtAGUAcQAgACcAcgB1AG4AQQBzAEEAZABtAGkAbgAnACkADQAKACAAIAB7AA0ACgAgACAAIAAgACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAIAAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAAPQAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAALQBiAG8AcgAgADAAeAAyADAAIAAjAHMAZQB0ACAAYgB5AHQAZQAgADIAMQAgACgAMAB4ADEANQApACAAYgBpAHQAIAA2ACAAKAAwAHgAMgAwACkAIABPAE4AIAANAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQANAAoAIAAgAH0ADQAKAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -command "'TwitchStudioSetup-network_[referrer-studio_page].exe', 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Twichin\TwitchStudio.lnk', 'TwitchStudio', 'none', 'C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\AI_STUBS\TwitchStudioSetup-network_[referrer-studio_page].1.ico', 'C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\', 1, 'none', 'none'" | "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -encodedcommand DQAKACAAIABwAGEAcgBhAG0AIAAoAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABUAGEAcgBnAGUAdABQAGEAdABoACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABEAGUAcwBjAHIAaQBwAHQAaQBvAG4ALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABBAHIAZwB1AG0AZQBuAHQAcwAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHYAYQBsAGkAZABhAHQAZQBzAGUAdAAoADEALAAzACwANwApAF0AIAAgACAAIAANAAoAIAAgACAAIABbAGkAbgB0AF0AIAAkAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ADEALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABIAG8AdABrAGUAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4ADQAKACAAIAApAA0ACgAgACAADQAKACAAIABpAGYAIAAoACAAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApACkADQAKACAAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARgBpAGwAZQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAANAAoAIAAgAH0ADQAKACAAIAANAAoAIAAgACQAVwBzAGgAUwBoAGUAbABsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAgACAAIAANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0ACAAPQAgACQAVwBzAGgAUwBoAGUAbABsAC4AQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0ACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAJABTAGgAbwByAHQAYwB1AHQALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACQAVABhAHIAZwBlAHQAUABhAHQAaAANAAoAIAAgAGkAZgAoACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAUwBoAG8AcgB0AGMAdQB0AC4ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAPQAgACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAQQByAGcAdQBtAGUAbgB0AHMAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABTAGgAbwByAHQAYwB1AHQALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAkAEEAcgBnAHUAbQBlAG4AdABzACAAfQANAAoAIAAgAGkAZgAoACQASQBjAG8AbgBMAG8AYwBhAHQAaQBvAG4AIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQAgAHsAIAAkAHMAaABvAHIAdABjAHUAdAAuAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAA9ACAAJABXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAfQANAAoAIAAgAGkAZgAoACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAcwBoAG8AcgB0AGMAdQB0AC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAAfQANAAoAIAAgAGkAZgAoACQASABvAHQAawBlAHkAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBIAG8AdABrAGUAeQAgAD0AIAAkAEgAbwB0AGsAZQB5ACAAfQANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0AC4AUwBhAHYAZQAoACkADQAKAA0ACgAgACAAaQBmACAAKAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4AIAAtAGUAcQAgACcAcgB1AG4AQQBzAEEAZABtAGkAbgAnACkADQAKACAAIAB7AA0ACgAgACAAIAAgACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAIAAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAAPQAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAALQBiAG8AcgAgADAAeAAyADAAIAAjAHMAZQB0ACAAYgB5AHQAZQAgADIAMQAgACgAMAB4ADEANQApACAAYgBpAHQAIAA2ACAAKAAwAHgAMgAwACkAIABPAE4AIAANAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQANAAoAIAAgAH0ADQAKAA==
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -noprofile -encodedcommand DQAKACAAIABwAGEAcgBhAG0AIAAoAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABUAGEAcgBnAGUAdABQAGEAdABoACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABEAGUAcwBjAHIAaQBwAHQAaQBvAG4ALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABBAHIAZwB1AG0AZQBuAHQAcwAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACwADQAKACAAIAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAbQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHYAYQBsAGkAZABhAHQAZQBzAGUAdAAoADEALAAzACwANwApAF0AIAAgACAAIAANAAoAIAAgACAAIABbAGkAbgB0AF0AIAAkAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ADEALAANAAoAIAAgAA0ACgAgACAAIAAgAFsAcABhAHIAYQBtAGUAdABlAHIAKABtAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQApAF0ADQAKACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABIAG8AdABrAGUAeQAsAA0ACgAgACAADQAKACAAIAAgACAAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAG0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQANAAoAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4ADQAKACAAIAApAA0ACgAgACAADQAKACAAIABpAGYAIAAoACAAIQAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApACkADQAKACAAIAB7AA0ACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARgBpAGwAZQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAANAAoAIAAgAH0ADQAKACAAIAANAAoAIAAgACQAVwBzAGgAUwBoAGUAbABsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAgACAAIAANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0ACAAPQAgACQAVwBzAGgAUwBoAGUAbABsAC4AQwByAGUAYQB0AGUAUwBoAG8AcgB0AGMAdQB0ACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAJABTAGgAbwByAHQAYwB1AHQALgBUAGEAcgBnAGUAdABQAGEAdABoACAAPQAgACQAVABhAHIAZwBlAHQAUABhAHQAaAANAAoAIAAgAGkAZgAoACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAUwBoAG8AcgB0AGMAdQB0AC4ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAPQAgACQARABlAHMAYwByAGkAcAB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAQQByAGcAdQBtAGUAbgB0AHMAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABTAGgAbwByAHQAYwB1AHQALgBBAHIAZwB1AG0AZQBuAHQAcwAgAD0AIAAkAEEAcgBnAHUAbQBlAG4AdABzACAAfQANAAoAIAAgAGkAZgAoACQASQBjAG8AbgBMAG8AYwBhAHQAaQBvAG4AIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAgAD0AIAAkAEkAYwBvAG4ATABvAGMAYQB0AGkAbwBuACAAfQANAAoAIAAgAGkAZgAoACQAVwBvAHIAawBpAG4AZwBEAGkAcgBlAGMAdABvAHIAeQAgAC0AbgBlACAAJwBuAG8AbgBlACcAKQAgAHsAIAAkAHMAaABvAHIAdABjAHUAdAAuAFcAbwByAGsAaQBuAGcARABpAHIAZQBjAHQAbwByAHkAIAA9ACAAJABXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5ACAAfQANAAoAIAAgAGkAZgAoACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAALQBuAGUAIAAnAG4AbwBuAGUAJwApACAAewAgACQAcwBoAG8AcgB0AGMAdQB0AC4AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAPQAgACQAVwBpAG4AZABvAHcAUwB0AHkAbABlACAAfQANAAoAIAAgAGkAZgAoACQASABvAHQAawBlAHkAIAAtAG4AZQAgACcAbgBvAG4AZQAnACkAIAB7ACAAJABzAGgAbwByAHQAYwB1AHQALgBIAG8AdABrAGUAeQAgAD0AIAAkAEgAbwB0AGsAZQB5ACAAfQANAAoAIAAgACQAUwBoAG8AcgB0AGMAdQB0AC4AUwBhAHYAZQAoACkADQAKAA0ACgAgACAAaQBmACAAKAAkAFIAdQBuAEEAcwBBAGQAbQBpAG4AIAAtAGUAcQAgACcAcgB1AG4AQQBzAEEAZABtAGkAbgAnACkADQAKACAAIAB7AA0ACgAgACAAIAAgACQAYgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAApAA0ACgAgACAAIAAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAAPQAgACQAYgB5AHQAZQBzAFsAMAB4ADEANQBdACAALQBiAG8AcgAgADAAeAAyADAAIAAjAHMAZQB0ACAAYgB5AHQAZQAgADIAMQAgACgAMAB4ADEANQApACAAYgBpAHQAIAA2ACAAKAAwAHgAMgAwACkAIABPAE4AIAANAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQANAAoAIAAgAH0ADQAKAA==
    3⤵
    PID:540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file 'C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\soul goodman+meta_v2.ps1'"
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\Amazon.comInc..TwitchVentures_8.0.0.0_x86__cvpb331a1f8hw\soul goodman+meta_v2.ps1"
    3⤵
    PID:1988

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ad3ed5e15a98b6bbe4ac8a0ab6357b4

SHA1
a740112efe63874b035bdc2fdd9795ab985358af

SHA256
ac40021e924d5029d1a5db99fc08b88571ef1659476f638d22e5d2160c8d3e0c

SHA512
a34a0921e3d1f81dad2dcf20b18197c5047eb592bc8d43879bed4cb7db34f80e21ef96650966d592b8ba1487665060bbf83d2bc93160933bf06c61f003ab48bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3c0a5b5e6a6178f6aa7b0086670d6cb8

SHA1
e0e85562a928af0d6a4203e9963d461f97df64e5

SHA256
01795e0365bee97983bb08b58c8fe89f6f98526725b5cebb20b6b1f700db27d6

SHA512
cbff786c9a93d0921df031695e3ba16f756f5520caed23c6e81b74c5d45b9c463ccdd0413d5ee57e83c16b9dfeface918fbb149522755761d2eba51b66203d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3c0a5b5e6a6178f6aa7b0086670d6cb8

SHA1
e0e85562a928af0d6a4203e9963d461f97df64e5

SHA256
01795e0365bee97983bb08b58c8fe89f6f98526725b5cebb20b6b1f700db27d6

SHA512
cbff786c9a93d0921df031695e3ba16f756f5520caed23c6e81b74c5d45b9c463ccdd0413d5ee57e83c16b9dfeface918fbb149522755761d2eba51b66203d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
83f547dabf1bb5faa9256d8a949aed1c

SHA1
2388ba8a8bce2e5567d609175b2917082cd4846d

SHA256
97fa1152e221ceeb34658f228207febac95d03825475a89e488570898d1434bf

SHA512
d6b728c126b71038c0c0364248fe7f9cbc00a222ff56db93379a3ded6d29bc035d7e33d4ead9566230ea2d49cf3ce4fc66b5be83124c3e24c4505e1e7e21862b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
83f547dabf1bb5faa9256d8a949aed1c

SHA1
2388ba8a8bce2e5567d609175b2917082cd4846d

SHA256
97fa1152e221ceeb34658f228207febac95d03825475a89e488570898d1434bf

SHA512
d6b728c126b71038c0c0364248fe7f9cbc00a222ff56db93379a3ded6d29bc035d7e33d4ead9566230ea2d49cf3ce4fc66b5be83124c3e24c4505e1e7e21862b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vjiou3c0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
2b7ce232d4b94bd7b9a2649111d87f1a

SHA1
573e05605b4289093c8a9a6b7b2163511f0dc792

SHA256
67aea31ad1a9628c5961008ec66fc35bb0c5dfaf3193c154f3dce4eb7873bbc9

SHA512
4ba743eb75a8cc79a0fc7ac9f7ee2035fee25b2bda35f2519185c7a0df2622e68245908f3988f00ad9a99365b3bc16f84d81a9dbde48a816da1e47737acdccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypvbka5f.dx5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs-1.js

Filesize
6KB

MD5
34d262279f52518b11dc70a8bcbc625a

SHA1
12c5c23c6f8a77ca89d4b36a9136e8d42d8929f0

SHA256
5d9969119f9532153c8759fc477963bc5dcef0d46163f3f0b15e61a7c2137839

SHA512
7200421748bdecfa9bb3b955a6f876c174b4f04e913ec8b5a9f6f75ffe0ec86750dbadae1302e7bdde2cb77e186e443f9ba23ff83a837f911ce50c2404d8f1e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore.jsonlz4

Filesize
886B

MD5
44abf4579a957fe3428859bfde2d1de9

SHA1
79741dd0b2b85b67b62dfb5cad08b2b94f4fc07e

SHA256
b86365be037c39fe6ecd78d16ed85ef23f209aebfd0b7df0b1b60cd57365f30a

SHA512
d0609f3ae122b3a7146c2c1e990df16ee1a486c7b3cf700d59f7594149e5413718c0e8cb50d53decbd42fba3140ab913373a725371c0e3b78477dce4d4171ece

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
a1debf7a163544ffeb7e538314399bfa

SHA1
1769cc05df51f06eef70f0d13c8bde0f062e3b73

SHA256
e3e9817d8630a3e71dfdf0be864de3024eece42e04dfadc532a6583371d7cf62

SHA512
522cf16bbe5ac44b54752382d89d68f69f0813709db00e4e72839ca7ac00a7d0b1f7272dcebdbebc9c638f06645a1647e6c33c6bc2d2110f6c7ca129cf272415

Download Submit
memory/220-125-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/220-160-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/220-127-0x00000000048C0000-0x00000000048F6000-memory.dmp

Filesize
216KB

Download
memory/220-128-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/220-129-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/220-130-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/220-131-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/220-134-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/220-172-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/220-143-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

Filesize
120KB

Download
memory/220-126-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/220-159-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/220-158-0x0000000006400000-0x000000000641A000-memory.dmp

Filesize
104KB

Download
memory/220-153-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/220-157-0x0000000007700000-0x0000000007D7A000-memory.dmp

Filesize
6.5MB

Download
memory/540-215-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/540-199-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/540-201-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/540-202-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/540-212-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/1764-174-0x0000000004530000-0x0000000004540000-memory.dmp

Filesize
64KB

Download
memory/1764-218-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/1764-200-0x0000000004530000-0x0000000004540000-memory.dmp

Filesize
64KB

Download
memory/1764-175-0x0000000004530000-0x0000000004540000-memory.dmp

Filesize
64KB

Download
memory/1764-173-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/1988-231-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/2676-220-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/3200-11-0x000001636FDF0000-0x000001636FE00000-memory.dmp

Filesize
64KB

Download
memory/3200-5-0x0000016357770000-0x0000016357792000-memory.dmp

Filesize
136KB

Download
memory/3200-10-0x00007FFEEDA30000-0x00007FFEEE4F1000-memory.dmp

Filesize
10.8MB

Download
memory/3200-12-0x000001636FDF0000-0x000001636FE00000-memory.dmp

Filesize
64KB

Download
memory/3200-13-0x000001636FDF0000-0x000001636FE00000-memory.dmp

Filesize
64KB

Download
memory/3200-15-0x00007FFEEDA30000-0x00007FFEEE4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-219-0x000000006EF80000-0x000000006EF90000-memory.dmp

Filesize
64KB

Download
memory/4664-193-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-194-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-195-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-196-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-197-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-198-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-192-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-187-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-188-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4664-186-0x0000016B39A00000-0x0000016B39A01000-memory.dmp

Filesize
4KB

Download
memory/4944-168-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download
memory/4944-164-0x0000000007780000-0x0000000007D24000-memory.dmp

Filesize
5.6MB

Download
memory/4944-163-0x0000000006670000-0x0000000006692000-memory.dmp

Filesize
136KB

Download
memory/4944-162-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/4944-161-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4944-146-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4944-145-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4944-144-0x0000000070CD0000-0x0000000071480000-memory.dmp

Filesize
7.7MB

Download